A postman will only do mail delivery not also laundadry. My bad, the pipe program in nux systen can only send the output of one program to another program nothing less nothing more. If processing is needed use another program. Similarly, Microservices is a specialisation of an implementation approach for service-oriented architectures (SOA) used to build flexible, independently deployable software systems, wherein each service will do just one thing. Representational state transfer* (REST)** or RESTful Web services are one way of providing interoperability between computer systems on the Internet, & they provide capability to access and manipulate textual representations of Web resources using a uniform and predefined set of stateless operations, which are inturn a great way of expressing micro-services. for eg lets say, there is a rest interface to manage user which lets say is our user-management-micro-service; the next big thing is how to secure it (authorize and authenticate)? JWT can help
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
REST based services are stateless by nature until we add security, but this needn't be the case if JWT is used. OAuth is another option but its complex, bloated & service to service communication without a web browser is tricky.
With JWT there are following entities
-- User
-- Client
-- Auth server
-- Services
There is single Authorization Server responsible to issue access token which can be consumed by multiple Resource Servers. In overall Spring Security authentication includes 2 steps, creating an authentication object for each request and applying authorization check depending on authentication.
Following are the basic componets in JWT (jot) based Authetication service framework
-
Autherization server The server which is responsible for managing authorizations and issuing access tokens to the clients for validating the Resource identity. Authentication server is generating the token in JWT format, which is encrypted by using the Public /private key mechanism. An Authentication server contains following components.
-
Data source configuration H2 database is embedded with the authorization server, which is used to store the client configurations for validate the client. The client details are kept inside e the oauth_client_details table
-
Web security configuration This is an extension of spring WebSecurityConfigurerAdapter. Enable the web-security parameters and user authentication provider set through this implementation.
-
Oauth2 Token generator This is an extension of spring AuthorizationServerConfigurerAdapter_._ Which willcreate a jwt token store. (Using the key tool to generate the key store, which contains the public/ private key) and the token is getting encrypted by using this private key. The public key is shared across the Resource server for decrypt the token. Please make sure that all the resource server contains the same public key when the key is again generated.
-
User Authentication Currently User authentication can done by following two ways 1. LDAP authentication For LDAP authentication, Authorization server needs to configure the below property in application.properties file under the resource directory.
| authentication.AuthenticationBuilder=com.flytxt.security.jwtoauthserver.authBuilder.DBAuthenticationBuilder |
|---|
If the authentication type is LDAP, it looking some more parameters from the application.properties active directory domain name and directory URL. Please find the following example configuration.
Configure the organizational unit and appropriate role along with the directory URL, if required
| authentication.mode.ldap.activeDirectoryDomain=flytxt.com authentication.mode.ldap.activeDirectoryUrl=ldap://192.168.125.10:389 |
2. JDBC based authtication (DB)
Which is the traditional way of the user validation with user name, password and roles which are validated against the database table **users** and **Use\_roles.**
Configure the spring property authentication.AuthenticationBuilderin application .properties
| authentication.AuthenticationBuilder=com.flytxt.security.jwtoauthserver.authBuilder.LdapAuthenticationBuilder |
|---|
- Resource Server
The server which hosts the protected resources, this server should be able to accept the access tokens issued by the Authorization Server and respond with the protected resource if the access token is valid.
Each client resource service will send a request to Authorization server for the authorization token and the authorization server send back the jwt token which is encrypted by a private key. The client request is proceed with this token. A resource server embedded with each resource service, which validate each resource request. The public key associated with the resource server is using to decrypt the token.
oauth_client_details
| client_id | Client Id EG : web_app |
|---|---|
| resource_ids | Comma separated resource ids |
| client_secret | Client secret key , |
| scope | Scope eg: read,write |
| authorized_grant_types | Possible values are : implicit, refresh_token, client_credentials, password, authorization_code |
| web_server_redirect_uri | Redirect URL |
| authorities | Role/ User , multiple values are Comma separated |
| access_token_validity | Token validity period in seconds |
| refresh_token_validity | Refresh Token validity period in seconds |
| additional_information | Additional information |
| autoapprove | Auto approve |
Set the resource id through the resource application.yaml
Please find the below sample resource configuration
resource:
id: foo
For embed a resource server, import the following configuration class from the resource server to resource application.
@Import ({ResourceServerConfig. class , JwtConfig.class})
Configure the API service with appropriate security. Please refer the below Example
@PreAuthorize("hasAuthority('userid/role')")
@RequestMapping(method = RequestMethod. GET )
public String readFoo() {
**return**"read foo ";
Set the following properties in application.properties
authentication.AuthenticationBuilder=com.flytxt.security.jwtoauthserver.authBuilder.LdapAuthenticationBuilder
authentication.mode.ldap.activeDirectoryDomain= flytxt.com ( Domain Name )
authentication.mode.ldap.activeDirectoryUrl=ldap://192.168.125.10:389 ( URL )
Set the following database authentication builder properties in application.properties
_authentication.AuthenticationBuilder=com.flytxt.security.jwtoauthserver.authBuilder._DBAuthenticationBuilder
The user and user roles are configure in the tables, users and user_role.
curl -u <client Id :client secret > <token server URL> -d "grant_type=password& username= <user_name> &password=<pwd>"
Eg: curl -u web_app:client_pwd http://localhost:9000/oauth/token -d "grant_type=password &username=john&password=john_pwd"
The user name and password are from active directory user name and pwd in the case of ldap authentication and in case of Database the credentials are validated against the user and role table.
Eg: curl -u web_app:client_pwd http://localhost:9000/oauth/token -d "grant_type= client _credentials".
The client application should invoke the appropriate web-request for generating the token and set the token while requesting for a resource.
curl -H "Authorization: Bearer $TOKEN" "localhost:9001/foo"